apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
spec:
  hub: {{ istio_hub }}
  tag: {{ istio_tag }}

  revision: 1-6-10
  # You may override parts of meshconfig by uncommenting the following lines.
  meshConfig:
    defaultConfig:
      proxyMetadata: {}
    enablePrometheusMerge: false
    # Opt-out of global http2 upgrades.
    # Destination rule is used to opt-in.
    # h2_upgrade_policy: DO_NOT_UPGRADE

  # Traffic management feature
  components:
    base:
      enabled: true
    pilot:
      enabled: true
      k8s:
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
        readinessProbe:
          httpGet:
            path: /ready
            port: 8080
          initialDelaySeconds: 1
          periodSeconds: 3
          timeoutSeconds: 5
        strategy:
          rollingUpdate:
            maxSurge: "100%"
            maxUnavailable: "25%"

    # Policy feature
    policy:
      enabled: false
      k8s:
        hpaSpec:
          maxReplicas: 5
          minReplicas: 1
          scaleTargetRef:
            apiVersion: apps/v1
            kind: Deployment
            name: istio-policy
          metrics:
            - type: Resource
              resource:
                name: cpu
                targetAverageUtilization: 80
        env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
        strategy:
          rollingUpdate:
            maxSurge: "100%"
            maxUnavailable: "25%"

    # Telemetry feature
    telemetry:
      enabled: false
      k8s:
        env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
          - name: GOMAXPROCS
            value: "6"
        hpaSpec:
          maxReplicas: 5
          minReplicas: 1
          scaleTargetRef:
            apiVersion: apps/v1
            kind: Deployment
            name: istio-telemetry
          metrics:
            - type: Resource
              resource:
                name: cpu
                targetAverageUtilization: 80
        replicaCount: 1
        resources:
          requests:
            cpu: 1000m
            memory: 1G
          limits:
            cpu: 4800m
            memory: 4G
        strategy:
          rollingUpdate:
            maxSurge: "100%"
            maxUnavailable: "25%"

    # Security feature
    citadel:
      enabled: false
      k8s:
        strategy:
          rollingUpdate:
            maxSurge: "100%"
            maxUnavailable: "25%"

    # Istio Gateway feature
    ingressGateways:
    - name: istio-ingressgateway
      enabled: true
      k8s:
        env:
          - name: ISTIO_META_ROUTER_MODE
            value: "sni-dnat"
        service:
          ports:
            - port: 15021
              targetPort: 15021
              name: status-port
            - port: 80
              targetPort: 8080
              name: http2
            - port: 443
              targetPort: 8443
              name: https
            - port: 15443
              targetPort: 15443
              name: tls
        hpaSpec:
          maxReplicas: 5
          minReplicas: 1
          scaleTargetRef:
            apiVersion: apps/v1
            kind: Deployment
            name: istio-ingressgateway
          metrics:
            - type: Resource
              resource:
                name: cpu
                targetAverageUtilization: 80
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 2000m
            memory: 1024Mi
        strategy:
          rollingUpdate:
            maxSurge: "100%"
            maxUnavailable: "25%"

    egressGateways:
    - name: istio-egressgateway
      enabled: false
      k8s:
        env:
          - name: ISTIO_META_ROUTER_MODE
            value: "sni-dnat"
        service:
          ports:
            - port: 80
              name: http2
              targetPort: 8080
            - port: 443
              name: https
              targetPort: 8443
            - port: 15443
              targetPort: 15443
              name: tls
        hpaSpec:
          maxReplicas: 5
          minReplicas: 1
          scaleTargetRef:
            apiVersion: apps/v1
            kind: Deployment
            name: istio-egressgateway
          metrics:
            - type: Resource
              resource:
                name: cpu
                targetAverageUtilization: 80
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 2000m
            memory: 1024Mi
        strategy:
          rollingUpdate:
            maxSurge: "100%"
            maxUnavailable: "25%"
    # Istio CNI feature
    cni:
      enabled: false

    # istiod remote configuration wwhen istiod isn't installed on the cluster
    istiodRemote:
      enabled: false

  addonComponents:
    prometheus:
      enabled: false
      k8s:
        replicaCount: 1
    kiali:
      enabled: false
      k8s:
        replicaCount: 1
    grafana:
      enabled: false
      k8s:
        replicaCount: 1
    tracing:
      enabled: false
    istiocoredns:
      enabled: false

  # Global values passed through to helm global.yaml.
  # Please keep this in sync with manifests/charts/global.yaml
  values:
    global:
      revision: 1-6-10
      istioNamespace: istio-system
      istiod:
        enabled: true
        enableAnalysis: false
      logging:
        level: "default:info"
      logAsJson: false
      pilotCertProvider: istiod
      jwtPolicy: first-party-jwt
      proxy:
        image: proxyv2
        clusterDomain: "cluster.local"
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 2000m
            memory: 1024Mi
        logLevel: warning
        componentLogLevel: "misc:error"
        privileged: false
        enableCoreDump: false
        statusPort: 15020
        readinessInitialDelaySeconds: 1
        readinessPeriodSeconds: 2
        readinessFailureThreshold: 30
        includeIPRanges: "*"
        excludeIPRanges: ""
        excludeOutboundPorts: ""
        excludeInboundPorts: ""
        autoInject: disabled
        envoyStatsd:
          enabled: false
          host: # example: statsd-svc.istio-system
          port: # example: 9125
        tracer: "zipkin"
      proxy_init:
        image: proxyv2
        resources:
          limits:
            cpu: 100m
            memory: 50Mi
          requests:
            cpu: 10m
            memory: 10Mi
      # Specify image pull policy if default behavior isn't desired.
      # Default behavior: latest images will be Always else IfNotPresent.
      imagePullPolicy: "IfNotPresent"
      operatorManageWebhooks: false
      controlPlaneSecurityEnabled: false
      tracer:
        lightstep:
          address: ""                # example: lightstep-satellite:443
          accessToken: ""            # example: abcdefg1234567
        zipkin:
          address: "jaeger-collector.istio-system.svc:9411"
        datadog:
          address: "$(HOST_IP):8126"
        stackdriver:
          debug: false
          maxNumberOfAttributes: 200
          maxNumberOfAnnotations: 200
          maxNumberOfMessageEvents: 200
      imagePullSecrets: []
      arch:
        amd64: 2
        s390x: 2
        ppc64le: 2
      oneNamespace: false
      defaultNodeSelector: {}
      configValidation: true
      meshExpansion:
        enabled: false
        useILB: false
      multiCluster:
        enabled: false
        clusterName: ""
      omitSidecarInjectorConfigMap: false
      network: ""
      defaultResources:
        requests:
          cpu: 10m
      defaultPodDisruptionBudget:
        enabled: true
      priorityClassName: ""
      useMCP: false
      trustDomain: "cluster.local"
      sds:
        token:
          aud: istio-ca
      sts:
        servicePort: 0
      meshNetworks: {}
      enableHelmTest: false
      mountMtlsCerts: false
    base:
      validationURL: ""
    pilot:
      autoscaleEnabled: true
      autoscaleMin: 1
      autoscaleMax: 5
      replicaCount: 1
      image: pilot
      traceSampling: 1.0
      configNamespace: istio-config
      appNamespaces: []
      env: {}
      cpu:
        targetAverageUtilization: 80
      nodeSelector: {}
      tolerations: []
      podAntiAffinityLabelSelector: []
      podAntiAffinityTermLabelSelector: []
      keepaliveMaxServerConnectionAge: 30m
      enableProtocolSniffingForOutbound: true
      enableProtocolSniffingForInbound: true
      deploymentLabels:
      configMap: true
      policy:
        enabled: false

    telemetry:
      enabled: true
      v1:
        enabled: false
      v2:
        enabled: true
        metadataExchange: {}
        prometheus:
          enabled: true
        stackdriver:
          enabled: false
          logging: false
          monitoring: false
          topology: false
          configOverride: {}
    mixer:
      adapters:
        stdio:
          enabled: false
          outputAsJson: false
        prometheus:
          enabled: true
          metricsExpiryDuration: 10m
        kubernetesenv:
          enabled: true
        stackdriver:
          enabled: false
          auth:
            appCredentials: false
            apiKey: ""
            serviceAccountPath: ""
          tracer:
            enabled: false
            sampleProbability: 1
        useAdapterCRDs: false

      telemetry:
        image: mixer
        replicaCount: 1
        autoscaleEnabled: true
        sessionAffinityEnabled: false
        loadshedding:
          mode: enforce
          latencyThreshold: 100ms
        env:
          GOMAXPROCS: "6"
        nodeSelector: {}
        tolerations: []
        podAntiAffinityLabelSelector: []
        podAntiAffinityTermLabelSelector: []

      policy:
        autoscaleEnabled: true
        image: mixer
        sessionAffinityEnabled: false
        adapters:
          kubernetesenv:
            enabled: true
          useAdapterCRDs: false

    istiodRemote:
      injectionURL: ""

    gateways:
      istio-egressgateway:
        zvpn: {}
        env: {}
        autoscaleEnabled: true
        type: ClusterIP
        name: istio-egressgateway
        secretVolumes:
          - name: egressgateway-certs
            secretName: istio-egressgateway-certs
            mountPath: /etc/istio/egressgateway-certs
          - name: egressgateway-ca-certs
            secretName: istio-egressgateway-ca-certs
            mountPath: /etc/istio/egressgateway-ca-certs

      istio-ingressgateway:
        autoscaleEnabled: true
        applicationPorts: ""
        debug: info
        domain: ""
        type: LoadBalancer
        name: istio-ingressgateway
        zvpn: {}
        env: {}
        meshExpansionPorts:
          - port: 15011
            targetPort: 15011
            name: tcp-pilot-grpc-tls
          - port: 15012
            targetPort: 15012
            name: tcp-istiod
          - port: 8060
            targetPort: 8060
            name: tcp-citadel-grpc-tls
          - port: 853
            targetPort: 8853
            name: tcp-dns-tls
        secretVolumes:
          - name: ingressgateway-certs
            secretName: istio-ingressgateway-certs
            mountPath: /etc/istio/ingressgateway-certs
          - name: ingressgateway-ca-certs
            secretName: istio-ingressgateway-ca-certs
            mountPath: /etc/istio/ingressgateway-ca-certs

    sidecarInjectorWebhook:
      enableNamespacesByDefault: true
      rewriteAppHTTPProbe: true
      injectLabel: istio-injection
      objectSelector:
        enabled: false
        autoInject: true

    prometheus:
      hub: docker.io/prom
      tag: v2.15.1
      retention: 6h
      scrapeInterval: 15s
      contextPath: /prometheus

      security:
        enabled: true
      nodeSelector: {}
      tolerations: []
      podAntiAffinityLabelSelector: []
      podAntiAffinityTermLabelSelector: []
      provisionPrometheusCert: true

    grafana:
      image:
        repository: grafana/grafana
        tag: 6.7.4
      persist: false
      storageClassName: ""
      accessMode: ReadWriteMany
      security:
        enabled: false
        secretName: grafana
        usernameKey: username
        passphraseKey: passphrase
      contextPath: /grafana
      service:
        annotations: {}
        name: http
        type: ClusterIP
        externalPort: 3000
        loadBalancerIP:
        loadBalancerSourceRanges:
      datasources:
        datasources.yaml:
          apiVersion: 1
          datasources:
      dashboardProviders:
        dashboardproviders.yaml:
          apiVersion: 1
          providers:
            - name: 'istio'
              orgId: 1
              folder: 'istio'
              type: file
              disableDeletion: false
              options:
                path: /var/lib/grafana/dashboards/istio
      nodeSelector: {}
      tolerations: []
      podAntiAffinityLabelSelector: []
      podAntiAffinityTermLabelSelector: []
      env: {}
      envSecrets: {}

    tracing:
      provider: jaeger
      nodeSelector: {}
      podAntiAffinityLabelSelector: []
      podAntiAffinityTermLabelSelector: []
      jaeger:
        hub: docker.io/jaegertracing
        tag: "1.16"
        memory:
          max_traces: 50000
        spanStorageType: badger
        persist: false
        storageClassName: ""
        accessMode: ReadWriteMany
      zipkin:
        hub: docker.io/openzipkin
        tag: 2.20.0
        probeStartupDelay: 10
        queryPort: 9411
        resources:
          limits:
            cpu: 1000m
            memory: 2048Mi
          requests:
            cpu: 150m
            memory: 900Mi
        javaOptsHeap: 700
        maxSpans: 500000
        node:
          cpus: 2
      opencensus:
        hub: docker.io/omnition
        tag: 0.1.9
        resources:
          limits:
            cpu: "1"
            memory: 2Gi
          requests:
            cpu: 200m
            memory: 400Mi
        exporters:
          stackdriver:
            enable_tracing: true
      service:
        annotations: {}
        name: http-query
        type: ClusterIP
        externalPort: 9411
    istiocoredns:
      coreDNSImage: coredns/coredns
      coreDNSTag: 1.6.2
      coreDNSPluginImage: istio/coredns-plugin:0.2-istio-1.1

    kiali:
      hub: quay.io/kiali
      tag: v1.18
      contextPath: /kiali
      nodeSelector: {}
      podAntiAffinityLabelSelector: []
      podAntiAffinityTermLabelSelector: []
      dashboard:
        secretName: kiali
        usernameKey: username
        passphraseKey: passphrase
        viewOnlyMode: false
        grafanaURL:
        grafanaInClusterURL: http://grafana:3000
        jaegerURL:
        jaegerInClusterURL: http://tracing/jaeger
        auth:
          strategy: login
      prometheusNamespace:
      createDemoSecret: false
      security:
        enabled: false
        cert_file: /kiali-cert/cert-chain.pem
        private_key_file: /kiali-cert/key.pem
      service:
        annotations: {}

    # TODO: derive from operator API
    version: ""
    clusterResources: true
